:lutinblanc!*@* PRIVMSG #GPG!2266 :What with a "Please wait for Refresh NAT to be completed" error?>This is a normal chat message. =p>In the RA3 Client coloring for chat works like this.>Having "@" or +o results in light blue chat>If you are a VIP ProfileID as defined in the RA3 Client your chat is blue always>Being on a players friend list results in pink chat>Normal Players are red chat

:yxovertka!XFO9pvFf4X|155981446@* QUIT :Later!>Results from logging off or Crashing

:Cuycoybuster!XsGf4OWsFX|152886244@* PART #GPG!2266 :>Result from changing lobbys or going into a game.>This could be useful for knowing when to run a whois command to get his channels and see what game he joined. If no channels are listed then its a loby change.

:matchcola!*@* NOTICE #GSP!redalert3pcb!MzJ3P31DKM :5...>This is for a game lobby and not the main lobby but this results in white text from no name. When sent to channels.>If its sent only to a user he only sees the white text (A name may be attached. Dont know...)>If a notice is sent to a game lobby while the game is in session no text is sent.>If a notice is sent to a player while ingame we will see the message ingame with blue text and Username : Text

Initial Login is controlled by EA servers which use there
Email+Password+Username System to Authenticate
Then some other system for cdkey auth.

Moving on...
Stats are also controlled by EA and the battlecast system also.
They also seem to have manglers for automatching and other purposes.

The way...
By emulating cdkey auth and login we can then get inside the custom game system which is handled mostly by peerchat. peerchat doesnt require auth or cdkeys.

Now Stats and Automatching wouldnt be usable but maybe custom matches.

Now even if the custom matches listings are controlled by EA we can still emulate the list using peerchat via /list redalert3 and then doing a GETCKEY sflags to get game status.

The point...
By doing this we can completely bypass any EA based banning system and login and cdkey auth and be able to play custom games.

If i can get help to start logging how authentication works stats and all then it maybe possible to develop a program to bypass cdkey auth for red alert 3 and possiblely future games using the auth system.

Some crazy shit lawl.I cant wait to be unbanned so i can try more shit =D

Edit:aluigi if you can find some stuff on authenitcation it should be possible to emulate our way bypassing cdkey auth as explained. This would be really fun for the people who have issues with logging in and DRMs

Testing proves the following.UTM Kick Commands are only accepted from senders with +oForcing a game to start will not happen without NAT Negoed... and having +o and even with sh flags on (Requirement must be slot 0)Updating Game Rules is not accepted except from +o and even with sh flags on (Requirement must be slot 0)Everyone Ready Up Command isn't accepted even from +o and even with sh flags on (Requirement must be slot 0)raw PRIVMSG $1 :@@@GML $2/OLD is not used... Because im still gagged and it didn't stop a valid game.You need to be in a slot to send player option commands raw UTM $1 :REQ/ StartPos=$5raw UTM $1 :REQ/ StartPos=$5 if they are invaild they arnt accepted.invalid faction is settable.

Results of able exploits.Impersonation is still ok.Use of Notices for white text is still ok.Using VIP IDs is still ok.hijacking a channel after everyone left is still ok.Kick Commands are accepted from +o's or hosterRules/Map/Slot Info Updates are only accepted from hosterStarting a game isn't allowed except from hosterAsking Ready Up isnt allowed except from hosterUsing the /cncgamejoin is vaild and will make you join.You can control your faction team color and position only if you are fully joined and in a slot (Being kicked results in no slot (KickByHost/GameFull) Or a Channel Kick (Non UTM))Your player controls must be in vaild ranges.Changing Topic Doesnt have any effect on whos hoster or lobby name.If you are kicked all you need to do is /part then /cncgamejoin you will be slotted.

Gaining the Hoster Flag seems tricky. Having +o or Setting the Topic to your name or having sh flags doesnt give you hoster... Nor is any of those flags are needed to be a hoster. (Hosting is controlled though other means)You can not validate Nat Nego on a fake client. So games can not start.

Kick Commands can only be used if you are Oper.Game Locking can only be used if you are Oper.

Usage...

Start peerchat-irc with the argspeerchat_irc.exe -g redalert3pcb uBZwpf -i 25677635 -D 702 -p 6669 -a XaaaaaaaaX -h 00000000000000000000000000000000Login with mIRCuse /cncjoinuse /list redalert3find a game to join.use /cncgamejoin #gps!redalert3pcb!XXXXXXXXKeep readied up =)Keep an eye on the UTMs if you get removed /cncgamerejoin #gps!redalert3pcb!XXXXXXXXAnnoy the game hoster for a bit.Hoster leaves.You /cncgametakeover #gps!redalert3pcb!XXXXXXXXThey can no longer host =)

If we are not UTM $me :KICK/ GameFullIf we get a UTM containing Game Lobby Info

Then we can start a Ready/Unready flood.

Loop StartUTM $hoster :READY/ trueUTM $hoster :READY/ falseLoop End

Else we notify attacker and part channel (if desired)

This spam.... returns the hoster updating lobby into such as slots every time we send. Now the irc server/client results in the hoster sending the updates slowly. Causing a backlog when players/hoster updates their settings. Not only does it create lag but it also prevent users settings changing till the flood ends. This also prevents the hoster from sending any messages till the queue is completed. Now the hoster at this point will go WTF and part or quit. In result all other users will leave since if the host quits/parts all valid client users will part. After this we part/join and gain channel operator and do what ever we please at this point.

The point of this is we can force a hoster to leave in order to take over his channel.

Final Update:I'm ending this research now since i reached the peak of what is possible.

Exploits Found:Using a fake client to connect to gamespy peerchat to annoy users of RA3.

Details (The following can be done to annoy users):Spoofing Playernames and Profile IDs to look like their friends.Spoofing a Profile ID of a VIP to gain blue text.Using GETCDKEY command to find Encoded IP/Profile ID/Hashed CD KeyUsing Notice's To send white text with no name to main chat lobbies and game hosting lobbiesUsing Notice's To message players while in a game

Channel Exploits:The ability to join a game lobby and register a slotAble to stay in a game lobby and disrupt NAT Negotiation to prevent a game from launchingSpamming Player Status Changes (Ready/Faction/Color/Team/Position) to the hoster freeze all game lobby settingsGaining Channel Operator for custom games and preventing game hosting and annoying users with GameFull Kick MessagesLocking Channels to prevent a person from hosting a game

Extended Annoyance:Tracking users via whois to find which channels they are in to then join their games to prevent playSpamming Chat Lobbies with notices and causing panicHolding up the ability to play gamesSpoofing of a trusted Username/ProfileID to impersonate a friend of a friend to gain trust and social engineering.

I'll be releasing a mIRC Script to do all of this for you and include the peerchat-irc tool to connect to gamespy.

the simplest way: launch the game, enter in the multiplayer menu, dump the memory or attach a debugger to the process and search all the occurrencies of the gamename of the game (like redalert3pcb), the gamekey is some bytes around it

Gamespy seems to handle CDKEY Auth to a extent.If i try to login from RA3 while my fake client is working with that key it will get removed.Also you need a vaild key to join Lobbies or else you are +b to themYou must be under the RA3 Game Key before joining RA3 Lobbies or you will get chat banned on that IPTheir Auto Detection has improved alot be careful and use a fully authenticated login.

You need Vaild IPs/Profile IDs/CDKeys and Hashes to login or else you will get auto muted or even fully banned.Vaild IP must be your encoded ip.Profile ID must be a vaild profile id in useCDKey must be vaild and authorized to login

To join a channel simply type /joingsa <chan> , so for the lobby /joingsa subhome

I noticed you have to type the command one more time to finaly the SETCKEY since they seem to be sent before you join the channel. No worries though, becuase you will still look normal to the clients. Only reason I found that out was doing a GETCKEY before and after.

Quote:

I forgot to mention the 393217000 number isn't your PID. It'sthe number that shows up when you do a whois on a user i.e. ScrambledIP|<some number> this some number is the unique number for your ID.You will have to login to your real GSA client with peerchat_proxy tofind this number.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum